[Python-Dev] Challenge: Please break this! [Now with blog post]

[Greg Ewing]

tav wrote:
> But that doesn't invalidate
> the model or the possibility of using it in Python.

However, there's also the matter of whether it's
*practical* to use the model in Python.

The custom-string exploit illustrates that you have
to be extremely careful what you do with, and
what you assume about, anything given to you by
untrusted code.

How confident is the user of the capability model
going to be that there isn't some other obscure
exploit that he hasn't thought of?

To be able to have confidence in it, a capability
model needs to start with objects having no
capabilities at all, and you deliberately add the
capabilities you want it to have.

But Python objects come by default with a huge
number of capabilities, designed to allow the
programmer to do just about anything he wants
short of wrecking the internals of the interpreter
(wrecking the rest of his computer is fine,
though:-).

And you not only have to think about the
capabilities of the objects that you give to
others, but the capabilities of objects that
others give to you -- and be careful not to
use any of them in a way that could fool you.

So while the model may be theoretically sound,
applying it to Python is not easy to do in a
way that one can have confidence in.

-- 
Greg